Salvatore, This is pretty bare-bones for a CVE. And it would not have become one if the submitter had coordinated withe upstream project. It's essentially a false positive.
The crasher happens in the fuzzing scaffolding, not in the library itself. In this case, a "nice to have" consistency behavior had been added to the fuzzing tests as an assert. Fixing this made the library better. But this was no segfault that could happen in the wild. We are working on updating the package to the v1.4.11 upstream release. That will fix this. Regards, Julius Am Fr., 21. März 2025 um 20:18 Uhr schrieb Salvatore Bonaccorso < car...@debian.org>: > Source: open62541 > Version: 1.4.6-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/open62541/open62541/issues/6825 > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > t...@security.debian.org> > > Hi, > > The following vulnerability was published for open62541. > > CVE-2024-53429[0]: > | Open62541 v1.4.6 is has an assertion failure in fuzz_binary_decode, > | which leads to a crash. > > I'm filling this at RC level, it's technically not really RC, but > open62541 is fresh aiming for trixie, and it would be ideal to start > without a CVE. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-53429 > https://www.cve.org/CVERecord?id=CVE-2024-53429 > [1] https://github.com/open62541/open62541/issues/6825 > [2] > https://github.com/open62541/open62541/commit/b9473527623125b5ca264dae4551f8cc414b3bc3 > > Regards, > Salvatore >
